IdP Requirements
To use SAML with Faspex, you must already have an identity provider (IdP) that meets the
following requirements:
- Supports SAML 2.0
- Able to use an HTTP POST Binding.
- Able to connect to the same directory service that Faspex uses.
- Not configured to use pseudonyms.
- Can return assertions to Faspex that include the entire contents of the signing
certificate.
- If prompted, set to sign the SAML response. (Signing the SAML assertion is
optional.)
IdP Metadata Formats
You must configure formats to set up your IdP to
work with Faspex:
| Tag |
Format |
| NameID Format |
Faspex supports the following formats:
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- urn:oasis:names:tc:SAML:1.1:nameid-format:transient
- urn:oasis:names:tc:SAML:1.1:nameid-format:persistent
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
|
| Entity ID |
https://faspex_ip/aspera/faspex/auth/saml/metadata/saml_id |
| Binding |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| Callback URL |
https://faspex_ip/aspera/faspex/auth/saml/callback?id=saml_id |
If the IdP is capable of reading SAML XML metadata for a service
provider, you can upload a saved XML metadata file to configure the IdP. You can
retrieve the XML metadata for an existing Faspex by going to
https://faspex_ip/aspera/faspex/auth/saml/metadata/saml_id
and saving the XML file.
Note: The saml_id
specifies the SAML configuration. For example, in the case of multiple SAML
configurations, the first configuration is associated with the SAML ID "1", the
next configuration "2", and so on.
SAML Assertion Requirements
Faspex expects assertion from an IdP to contain the following elements:
| Default Attribute |
Faspex User Field |
Required |
| NameID
|
Username |
Yes |
| email |
Email address |
Yes |
| given_name |
First name |
Yes |
| surname |
Last name |
Optional |
| member_of |
SAML group |
Necessary for SAML groups |
Note: Some IdPs may refer to the NameID attribute as SAML_SUBJECT.
Tip: You can configure the Faspex user fields to map to different attributes
in the Faspex SAML configuration settings.